Web Services Security ( WS-Security , WSS ) is an extension to SOAP to apply security to Web services . It is a member of the Web service specifications and was published by OASIS .
43-398: The protocol specifies how integrity and confidentiality can be enforced on messages and allows the communication of various security token formats, such as Security Assertion Markup Language (SAML), Kerberos , and X.509 . Its main focus is the use of XML Signature and XML Encryption to provide end-to-end security. WS-Security describes three main mechanisms: The specification allows
86-467: A circle of trust where each participating domain is trusted to accurately document the processes used to identify a user, the type of authentication system used, and any policies associated with the resulting authentication credentials. Other members of the circle of trust could then examine these policies to determine whether to trust such information. While Liberty was developing ID-FF, the SSTC began work on
129-451: A user agent (usually a web browser) to request a web resource protected by a SAML service provider . The service provider, wishing to know the identity of the requesting user, issues an authentication request to a SAML identity provider through the user agent. The resulting protocol flow is depicted in the following diagram. In SAML 1.1, the flow begins with a request to the identity provider's inter-site transfer service at step 3. In
172-411: A Pentium 4/2.8 GHz CPU. Some findings were: Another benchmark in 2006 resulted in this comparison: Web services initially relied on the underlying transport security. In fact, most implementations still do. As SOAP allows for multiple transport bindings, such as HTTP and SMTP, a SOAP-level security mechanism was needed. The lack of end-to-end security because of the dependence on transport security
215-604: A defined use case using a particular combination of assertions, protocols and bindings. A SAML assertion contains a packet of security information: Loosely speaking, a relying party interprets an assertion as follows: Assertion A was issued at time t by issuer R regarding subject S provided conditions C are valid. SAML assertions are usually transferred from identity providers to service providers. Assertions contain statements that service providers use to make access-control decisions. Three types of statements are provided by SAML: Authentication statements assert to
258-619: A defined use case. The most important SAML profile is the Web Browser SSO Profile. SAML 1.1 specifies two forms of Web Browser SSO, the Browser/Artifact Profile and the Browser/POST Profile. The latter passes assertions by value whereas Browser/Artifact passes assertions by reference . As a consequence, Browser/Artifact requires a back-channel SAML exchange over SOAP. In SAML 1.1, all flows begin with
301-592: A minor upgrade to the SAML standard. The resulting SAML 1.1 specification was ratified by the SSTC in September 2003. Then, in November of that same year, Liberty contributed ID-FF 1.2 to OASIS , thereby sowing the seeds for the next major version of SAML. In March 2005, SAML 2.0 was announced as an OASIS Standard. SAML 2.0 represents the convergence of Liberty ID-FF and proprietary extensions contributed by
344-617: A number of significant differences to the standard proposed by the IBM, Microsoft and VeriSign consortium. Many systems were developed using the proposed standard and the differences made them incompatible with systems developed to the OASIS standard. Some refer to the pre-OASIS specification as the "WS-Security Draft 13", or as the Web Services Security Core Specification. However these names are not widely known and indeed today it
387-431: A request at the identity provider for simplicity. Proprietary extensions to the basic IdP-initiated flow have been proposed (by Shibboleth , for example). The Web Browser SSO Profile was completely refactored for SAML 2.0. Conceptually, SAML 1.1 Browser/Artifact and Browser/POST are special cases of SAML 2.0 Web Browser SSO. The latter is considerably more flexible than its SAML 1.1 counterpart due to
430-456: A variety of signature formats, encryption algorithms and multiple trust domains, and is open to various security token models, such as: The token formats and semantics are defined in the associated profile documents. WS-Security incorporates security features in the header of a SOAP message, working in the application layer . These mechanisms by themselves do not provide a complete security solution for Web services. Instead, this specification
473-473: Is a building block that can be used in conjunction with other Web service extensions and higher-level application-specific protocols to accommodate a wide variety of security models and security technologies. In general, WSS by itself does not provide any guarantee of security. When implementing and using the framework and syntax, it is up to the implementor to ensure that the result is not vulnerable. Key management, trust bootstrapping, federation and agreement on
SECTION 10
#1732872553767516-564: Is a mapping of a SAML protocol message onto standard messaging formats and/or communications protocols. For example, the SAML SOAP binding specifies how a SAML message is encapsulated in a SOAP envelope, which itself is bound to an HTTP message. SAML 1.1 specifies just one binding, the SAML SOAP Binding. In addition to SOAP, implicit in SAML ;1.1 Web Browser SSO are the precursors of
559-570: Is an Identity Federation specification, developed by a group of companies: BEA Systems , BMC Software , CA Inc. (along with Layer 7 Technologies now a part of CA Inc.), IBM , Microsoft , Novell , Hewlett Packard Enterprise , and VeriSign . Part of the larger Web Services Security framework, WS-Federation defines mechanisms for allowing different security realms to broker information on identities, identity attributes and authentication. The following draft specifications are associated with WS-Security : This computer networking article
602-421: Is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider . SAML is an XML -based markup language for security assertions (statements that service providers use to make access-control decisions). SAML is also: An important use case that SAML addresses is web-browser single sign-on (SSO). Single sign-on
645-900: Is hard to clearly identify whether an application or server is using a pre- or post-OASIS specification. Most forum posts use the keyword "WSSE" to refer to the pre-OASIS version because it mandated the use of a "wsse" XML namespace prefix to the URL (and similar URLs of different versions). The protocol is officially called WSS and developed via committee in Oasis-Open. The following draft specifications are associated with WS-Security: WS-Federation , WS-Privacy , WS-Test . The following approved specifications are associated with WS-Security: WS-Policy , WS-SecureConversation , WS-Trust , ID-WSF . The following architectures make use of WS-Security: TAS3 . In point-to-point situations confidentiality and data integrity can also be enforced on Web services through
688-411: Is relatively easy to accomplish within a security domain (using cookies , for example) but extending SSO across security domains is more difficult and resulted in the proliferation of non-interoperable proprietary technologies. The SAML Web Browser SSO profile was specified and standardized to promote interoperability. The SAML specification defines three roles: the principal (typically a human user),
731-532: Is simply a name–value pair . Relying parties use attributes to make access-control decisions. An authorization decision statement asserts that a principal is permitted to perform action A on resource R given evidence E . The expressiveness of authorization decision statements in SAML is intentionally limited. More-advanced use cases are encouraged to use XACML instead. A SAML protocol describes how certain SAML elements (including assertions) are packaged within SAML request and response elements, and gives
774-463: Is to write transactions to an audit trail that is subject to specific security safeguards. Digital signatures, which WS-Security supports, provide a more direct and verifiable non-repudiation proof. Although almost all SOAP services implement HTTP bindings, in theory other bindings such as JMS or SMTP could be used; in this case end-to-end security would be required. Even if the web service relies upon transport layer security, it might be required for
817-401: Is transmitted, not how (the latter is determined by the choice of binding). So SAML Core defines "bare" SAML assertions along with SAML request and response elements. A SAML binding determines how SAML requests and responses map onto standard messaging or communications protocols. An important (synchronous) binding is the SAML SOAP binding. A SAML profile is a concrete manifestation of
860-495: The Shibboleth project, as well as early versions of SAML itself. Most SAML implementations support v2.0 while many still support v1.1 for backward compatibility. By January 2008, deployments of SAML 2.0 became common in government, higher education, and commercial enterprises worldwide. SAML has undergone one minor and one major revision since 1.0. The Liberty Alliance contributed its Identity Federation Framework (ID-FF) to
903-413: The identity provider (IdP) and the service provider (SP). In the primary use case addressed by SAML, the principal requests a service from the service provider. The service provider requests and obtains an authentication assertion from the identity provider. On the basis of this assertion, the service provider can make an access control decision, that is, it can decide whether to perform the service for
SECTION 20
#1732872553767946-556: The Advancement of Structured Information Standards (OASIS) Security Services Technical Committee (SSTC), which met for the first time in January 2001, was chartered "to define an XML framework for exchanging authentication and authorization information." To this end, the following intellectual property was contributed to the SSTC during the first two months of that year: Building on these initial contributions, in November 2002 OASIS announced
989-619: The HTTP POST Binding, the HTTP Redirect Binding, and the HTTP Artifact Binding. These are not defined explicitly, however, and are only used in conjunction with SAML 1.1 Web Browser SSO. The notion of binding is not fully developed until SAML 2.0. SAML 2.0 completely separates the binding concept from the underlying profile. In fact, there is a brand new binding specification in SAML 2.0 that defines
1032-533: The OASIS SSTC in September 2003: Versions 1.0 and 1.1 of SAML are similar even though small differences exist., however, the differences between SAML 2.0 and SAML 1.1 are substantial. Although the two standards address the same use case, SAML 2.0 is incompatible with its predecessor. Although ID-FF 1.2 was contributed to OASIS as the basis of SAML 2.0, there are some important differences between SAML 2.0 and ID-FF 1.2. In particular,
1075-520: The SAML Web Browser SSO Profile, some important third-party profiles of SAML include: The SAML specifications recommend, and in some cases mandate, a variety of security mechanisms: Requirements are often phrased in terms of (mutual) authentication, integrity, and confidentiality, leaving the choice of security mechanism to implementers and deployers. The primary SAML use case is called Web Browser Single Sign-On (SSO) . A user utilizes
1118-500: The SP, the IdP may request some information from the principal—such as a user name and password—in order to authenticate the principal. SAML specifies the content of the assertion that is passed from the IdP to the SP. In SAML, one identity provider may provide SAML assertions to many service providers. Similarly, one SP may rely on and trust assertions from many independent IdPs. SAML does not specify
1161-669: The Security Assertion Markup Language (SAML) 1.0 specification as an OASIS Standard. Meanwhile, the Liberty Alliance , a large consortium of companies, non-profit and government organizations, proposed an extension to the SAML standard called the Liberty Identity Federation Framework (ID-FF). Like its SAML predecessor, Liberty ID-FF proposed a standardized, cross-domain, web-based, single sign-on framework. In addition, Liberty described
1204-506: The actual assertion via a back channel. Such a back-channel exchange is specified as a SOAP message exchange (SAML over SOAP over HTTP). In general, any SAML exchange over a secure back channel is conducted as a SOAP message exchange. On the back channel, SAML specifies the use of SOAP 1.1. The use of SOAP as a binding mechanism is optional, however. Any given SAML deployment will choose whatever bindings are appropriate. WS-Federation WS-Federation (Web Services Federation)
1247-414: The connected principal. At the heart of the SAML assertion is a subject (a principal within the context of a particular security domain) about which something is being asserted. The subject is usually (but not necessarily) a human. As in the SAML 2.0 Technical Overview, the terms subject and principal are used interchangeably in this document. Before delivering the subject-based assertion from IdP to
1290-444: The example flow above, all depicted exchanges are front-channel exchanges , that is, an HTTP user agent (browser) communicates with a SAML entity at each step. In particular, there are no back-channel exchanges or direct communications between the service provider and the identity provider. Front-channel exchanges lead to simple protocol flows where all messages are passed by value using a simple HTTP binding (GET or POST). Indeed,
1333-489: The flow outlined in the previous section is sometimes called the Lightweight Web Browser SSO Profile . Alternatively, for increased security or privacy, messages may be passed by reference . For example, an identity provider may supply a reference to a SAML assertion (called an artifact ) instead of transmitting the assertion directly through the user agent. Subsequently, the service provider requests
WS-Security - Misplaced Pages Continue
1376-539: The following standalone bindings: This reorganization provides tremendous flexibility: taking just Web Browser SSO alone as an example, a service provider can choose from four bindings (HTTP Redirect, HTTP POST and two flavors of HTTP Artifact), while the identity provider has three binding options (HTTP POST plus two forms of HTTP Artifact), for a total of twelve possible deployments of the SAML 2.0 Web Browser SSO Profile. A SAML profile describes in detail how SAML assertions, protocols, and bindings combine to support
1419-532: The method of authentication at the identity provider. The IdP may use a username and password, or some other form of authentication, including multi-factor authentication . A directory service such as RADIUS , LDAP , or Active Directory that allows users to log in with a user name and password is a typical source of authentication tokens at an identity provider. The popular Internet social networking services also provide identity services that in theory could be used to support SAML exchanges. The Organization for
1462-408: The new "plug-and-play" binding design of SAML 2.0. Unlike previous versions, SAML 2.0 browser flows begin with a request at the service provider. This provides greater flexibility, but SP-initiated flows naturally give rise to the so-called Identity Provider Discovery problem, the focus of much research today. In addition to Web Browser SSO, SAML 2.0 introduces numerous new profiles: Aside from
1505-406: The processing rules that SAML entities must follow when producing or consuming these elements. For the most part, a SAML protocol is a simple request-response protocol. The most important type of SAML protocol request is called a query . A service provider makes a query directly to an identity provider over a secure back channel. Thus query messages are typically bound to SOAP. Corresponding to
1548-630: The request for routing. In such an example, the server would see the request coming from the proxy, not the client; this could be worked around by having the proxy have a copy of the client's key and certificate, or by having a signing certificate trusted by the server, with which it could generate a key/certificate pair matching those of the client. However, as the proxy is not operating on the message, it does not ensure end-to-end security, but only ensures point-to-point security. Security Assertion Markup Language Security Assertion Markup Language ( SAML , pronounced SAM-el , / ˈ s æ m əl / )
1591-402: The service provider that the principal did indeed authenticate with the identity provider at a particular time using a particular method of authentication. Other information about the authenticated principal (called the authentication context ) may be disclosed in an authentication statement. An attribute statement asserts that a principal is associated with certain attributes. An attribute
1634-548: The service to know about the end user, if the service is relayed by a (HTTP-) reverse proxy. A WSS header could be used to convey the end user's token, vouched for by the reverse proxy. WS-Security adds significant overhead to SOAP processing due to the increased size of the message on the wire, XML and cryptographic processing, requiring faster CPUs and more memory and bandwidth. An evaluation in 2005 measured 25 types of SOAP messages of different size and complexity processed by WSS4J with both WS-Security and WS-SecureConversation on
1677-409: The technical details (ciphers, formats, algorithms) is outside the scope of WS-Security. If a SOAP intermediary is required, and the intermediary is not more or less trusted, messages need to be signed and optionally encrypted. This might be the case of an application-level proxy at a network perimeter that will terminate TCP (transmission control protocol) connections. One method for non-repudiation
1720-569: The three types of statements, there are three types of SAML queries: The result of an attribute query is a SAML response containing an assertion, which itself contains an attribute statement. See the SAML 2.0 topic for an example of attribute query/response . Beyond queries, SAML 1.1 specifies no other protocols. SAML 2.0 expands the notion of protocol considerably. The following protocols are described in detail in SAML 2.0 Core: Most of these protocols are new in SAML 2.0 . A SAML binding
1763-420: The two specifications, despite their common roots, are incompatible. SAML is built upon a number of existing standards: SAML defines XML-based assertions and protocols, bindings, and profiles. The term SAML Core refers to the general syntax and semantics of SAML assertions as well as the protocol used to request and transmit those assertions from one system entity to another. SAML protocol refers to what
WS-Security - Misplaced Pages Continue
1806-585: The use of Transport Layer Security (TLS), for example, by sending messages over HTTPS . WS-Security, however, addresses the wider problem of maintaining integrity and confidentiality of messages until after a message is sent from the originating node, providing so-called end to end security . Applying TLS can significantly reduce the overhead involved by removing the need to encode keys and message signatures into XML before sending. A challenge in using TLS would be if messages needed to go through an application-level proxy server , as it would need to be able to see
1849-550: Was another factor. The protocol was originally developed by IBM , Microsoft , and VeriSign . Their original specification was published on 5 April 2002 and was followed up by an addendum on 18 August 2002. In 2002, two proposals were submitted to the OASIS WSS Technical Committee: Web Service Security (WS-Security) and Web Services Security Addendum. As a result, WS-Security was published: The version 1.0 standard published by OASIS contained
#766233